Method of authentication of users in data processing systems

ABSTRACT

A method of authentication of users in a data processing system is provided. The method includes a “Challenge” univocally associated with a user to be authenticated; processing the “Challenge” to generate an expected answer code, to be compared with an answer code that the user has to provide for authentication; encoding the generated “Challenge” for obtaining an image displayable through a display device; sending the image containing the “Challenge” to the user; displaying the image containing the “Challenge”; through a user device provided with an image-capturing device, optically capturing the displayed image; through the user device, processing the captured image for extracting from the captured image the “Challenge”, and subsequently processing the obtained “Challenge” for generating the answer code; receiving the answer code from the user and comparing it to the expected answer code; and, in case of positive comparison, authenticating the user. One among the actions of generating a “Challenge” and an expected answer code, and the action of processing the captured image that generates the answer code exploit secret information univocally associated with the user.

CROSS REFERENCE TO RELATED APPLICATIONS

This is a U.S. National Phase Application under 35 U.S.C. §371 ofInternational Application No. PCT/IB2007/003283, filed Oct. 30, 2007,which was published Under PCT Article 21(2), the entire contents ofwhich are incorporated herein by reference.

BACKGROUND OF THE INVENTION

The present invention relates in general to the field of data processingsystems, or computer systems, and of data networks. The invention moreparticularly relates to methods and systems for the authentication ofusers in data processing systems and data networks.

DESCRIPTION OF THE RELATED ART

With the term “authentication” the process is generally intended throughwhich two or more separate entities, for instance a “client” dataprocessing unit and a “server” data processing unit in a “client-server”system, can mutually verify their identity.

Several methods of authentication of a user at a computer system areknown, that provide for assessing the identity of the user exploitingfor instance one or more among the following verify methodologies:

-   -   something that the user is (for instance exploiting biometric        data like the fingerprints, the vocal imprint, the retinal        model, the DNA sequence or the calligraphy or other biometric        identifiers of the user);    -   something that the user has or possesses (for instance, an        identification card or a hardware device—“token”—, for example a        hardware key or a “smart card” to be coupled to his/her own        computer, possibly through a suitable reader device);    -   something that the user knows (for instance a password, a        keyword and/or a “PIN”—Personal Identification Number—or a        “user-name”).

In the past, for the authentication of a user this last paradigm wasmainly exploited: the user, to be authenticated at data processingsystem, had to furnish a combination of user-name and password.

Nowadays the issue of the authentication of a user is even more feltthan before, in consequence of the continuous increase of services madeavailable on-line through data networks (for instance, banking services,services of trading of stocks or bonds, electronic messagingservices—“e-mail”—, “Really Simple Syndication”—RSS—services,newsgroups, etc.), enjoyable by a user through a computer network(Internet, company intranet and “extranet”), and, recently, alsoentertainment services that involve the distribution subjected topayment of contents based on the DTT (Digital Terrestrial Television)and IPTV (Internet Protocol TeleVision) technologies.

Mechanisms of authentication have thus been developed that are safer andstronger in comparison to the normal mechanism based onuser-name/password, such as for instance the solutions based onbiometric detection or those based on hardware tokens or smart cards,accompanied by specific software (“One Time Password”—OTP—, digitalcertificates and the like).

In “Authentication Using Multiple Communication Channels” by ShintaroMizuno, Kohji Yamada, Kenji Takahashi, NTT Information Platform SharingLaboratories, Proceedings of the 2005 workshops on Digital identitymanagement, 2005, Fairfax, Va., USA, Nov. 11-11, 2005, pages 54-62, a“challenge-response” authentication mechanism is described that makesuse of a bidimensional barcode. The service provider site sends to acomputer of the user, connected over the Internet, a barcode thatincludes a “challenge”; using a cellular telephone, the user reads thebidimensional barcode displayed on the screen of the computer; usingagain the cellular telephone, the “challenge” is sent, over a cellulartelephony network, to the service provider, through an authenticationserver, and it is then re-sent to the cellular telephone with asignature of the service provider.

In J. M. McCune et al., “Seeing-Is-Believing: Using Chamber Phones forHuman-Verifiable Authentication”, Proceedings of the 2005 IEEE Symposiumon Security and Privacy, May 8-11, 2005, The Claremont Resort, Oakland,Calif., USA, pages 110-124, a system is presented that usesbidimensional barcodes and cellular phones with camera to implement avisual identification channel; the cellular phone has to be able to usethe integrated camera to recognize bidimensional barcodes. The methoduses the bidimensional barcodes to transfer on a mobile device a hashthat will serve to verify an authentication key exchanged in other way(infrared communication, bluetooth) to establish a secure connectionwith a TCG-compliant application (where TCG stands for Trusted ComputingGroup, an organization that promotes open standards to strengthen thedata processing platforms against software attacks).

SUMMARY OF THE INVENTION

The Applicant has observed that the above described technologies arerather complex and their cost can exponentially grow with respect to thedegree of safety and reliability that they are asked to offer.

For instance, in the solutions based on the use of hardware tokens, anextremely precise clock is present on the server that is able to“synchronize” with that of the device possessed by the user;discordances in the synchronization make both the user device and theauthentication process unusable.

The technique described in the article of Mizuno et al. has the problemof needing a connection to a mobile telephony network, something that isnot always possible.

The method described in the article of McCune et al. is not used forauthenticating the user, but rather applications or devices with whichit is intended to establish a data connection, and it uses some form ofradio or wired communication. The security is only linked to thepossession of the terminal.

The Applicant has therefore observed that there is the need of makingavailable a new methodology of authentication of the user, having a highdegree of security and a lower implementation cost compared to thecurrently available solutions.

The Applicant has found a methodology that is secure and, at the sametime, has a low implementation cost; such methodology exploits amechanism of authentication of the type “Challenge-Response”.

For the purposes of the present invention, by “Challenge-Response”mechanism it is intended a mechanism such that a subject/entity thatdesires to authenticate at another entity, and the authenticator entityprove to share capabilities based on data processing methodologies (forinstance, encryption/decryption capabilities, hashing capabilities,encoding/decoding capabilities) or information (for instance, username,PIN, encryption or hashing keys) that allow the mutual recognition; such“Challenge-Reponses” mechanisms are for instance exploited in the CHAP(Challenge Handshake Authentication Protocol) or Kerberos protocols, orin the authentication in mobile telephony networks of second and thirdgeneration. Particularly, for the purposes of the present invention, by“Challenge” it is intended information sent to the subject that has tobe authenticated, that is univocally correlated to the subject to beauthenticated, and that the subject to be authenticated exploits forshowing to possess a determined ability, generating the correct“Response” expected by the authenticator entity.

Particularly, the dispatch to the user of the authentication “Challenge”by the data processing system, e.g. an authentication server, at whichthe user desires to authenticate is for instance made in graphic form,for example in form of bidimensional barcode. The content of the graphic“Challenge” sent to the user can, if desired, be protected usingencryption techniques and/or techniques of information authentication.

To generate the “Response” to be returned to the authentication server,the user uses a device with image capturing capabilities which isdistinct from the computer through which the user has to input theinformation necessary to his/her authentication. For instance, suchdevice can advantageously be a cellular telephone equipped with a cameraor camcorder, a more and more diffused device nowadays, with installed asuitable software or firmware adapted to the recognition and theprocessing of the “Challenge” received in graphic form.

The “Response” sent by the user in answer as a result of the processingof the received “Challenge” does not contain enough information to makeone able to retrieve the “Challenge” from which it has been calculated,and it cannot be used by an attacker with the purpose of interfering inthe communication between the authentication server and the user or viceversa.

An advantage of the proposed solution is that, for its operation, itdoes not require radio coverage, particularly by a mobile telephonynetwork, since it exploits an “optical” reading of the information.Another advantage is that it is not based on an internal clock toproduce the authentication information that has to be inputted.

Preferably, the authentication information produced by theauthentication server, i.e. the “Challenge” and the “Response” expectedas a response from the user, have a limited temporal validity, toprevent any possible fraudulent reuse thereof.

Preferably, the authentication server can implement mechanisms adaptedto disable the user after a limited number, for instance equal to three,of consecutive unsuccessful attempts of authentication.

An advantage of the proposed solution is that the management costs arereduced compared to other authentication methodologies, becauseexisting, non-specialized devices and software solutions are used.

According to an aspect of the present invention, a method ofauthentication of users in data processing systems is provided. Themethod includes:

-   -   generating a “Challenge” univocally associated with a user to be        authenticated;    -   processing the “Challenge” to generate an expected answer code,        to be compared to an answer code that the user has to furnish        for his/her authentication;    -   encoding the generated “Challenge” to obtain an image        displayable through a display device adapted to display the        image to the user;    -   sending the image containing the “Challenge” to the user;    -   displaying the image containing the “Challenge” to the user        through the display device;    -   through a user device equipped with an image-capturing device,        optically capturing the displayed image;    -   through the user device, processing the captured image for        extracting from the captured image the “Challenge”, and        subsequently processing the obtained “Challenge” to generate the        answer code;    -   receiving the answer code from the user and comparing it to the        expected answer code; and    -   in case of positive comparison, authenticating the user,

wherein one among said actions of generating the “Challenge” and theexpected answer code, and said action of processing the captured imagethat generates said answer code exploit a secret information univocallyassociated with the user.

Said generating an expected answer code can include associating with theexpected answer code a time validity limit, and said receiving theanswer code from the user and comparing it to the expected answer codeincludes assessing if the answer code from the user is received withinsaid time validity limit.

Said generating the “Challenge” can include generating a substantiallyrandom sequence of bits.

Said generating the “Challenge” can moreover include encoding thesubstantially random sequence of bits into a first string ofalphanumeric characters that univocally represents it.

Said encoding the “Challenge” can also include encoding the first stringof alphanumeric characters, and encoding the encoded first string ofalphanumeric characters to obtain the image displayable through thedisplay device.

Said generating the expected answer code can include encrypting thesubstantially random sequence of bits with said secret information orcalculating a hash of the substantially random sequence of bits withsaid secret information.

Said generating the expected answer code can also include encoding theencrypted substantially random sequence of bits, or the hash of thesubstantially random sequence of bits, to obtain a second string ofalphanumeric characters and storing the obtained string.

Said processing the captured image for extracting from the capturedimage the “Challenge” and generating the answer code can in particularinclude:

-   -   decoding the first string of alphanumeric characters to obtain        the substantially random sequence of bits;    -   encrypting the substantially random sequence of bits with said        secret information to obtain a further encrypted substantially        random sequence of bit, or calculating a hash of the        substantially random sequence of bits with said secret        information;    -   encoding the further encrypted substantially random sequence of        bits, or the hash of the substantially random sequence of bits,        to obtain the second string of alphanumeric characters, said        second string of alphanumeric characters constituting the answer        code.

Said generating the “Challenge” may comprise encrypting thesubstantially random sequence of bits with said secret information, andpossibly encoding the encrypted substantially random sequence of bitsinto a first string of alphanumeric characters, and encoding the firststring of alphanumeric characters to obtain the image displayablethrough the display device.

Said generating the expected answer code can include encoding thesubstantially random sequence of bits into a second string ofalphanumeric characters and storing the obtained second string.

Said processing the captured image for extracting from the capturedimage the “Challenge” and generating the answer code can include:

-   -   decoding the first string of alphanumeric characters to obtain        the encrypted substantially random sequence of bits;    -   decrypting the encrypted substantially random sequence of bits        with said secret information to obtain the substantially random        sequence of bits;    -   encoding the substantially random sequence of bits to obtain the        second string of alphanumeric characters, said second string of        alphanumeric characters constituting the answer code.

Said encoding the generated “Challenge” to obtain an image can includegenerating a bidimensional barcode.

Said authenticating the user can include enable the user accessing,through a data processing terminal of the user connected to a datanetwork, a service made available by a server connected to said network.

Said encoding the generated “Challenge” for obtaining an image cancomprise including in the image summary information adapted to identifya transaction effected by the user.

Said sending the image containing the “Challenge” to the user cancomprise including the image into an electronic mail message, andsending the electronic mail message to the user.

Said authenticating the user can include allowing the user to display anelectronic document attached to the electronic mail message.

According to another aspect of the present invention, a system for theauthentication of users in a data processing system is provided.

The system includes:

a) an authentication server, said authentication server being in useadapted to:

-   -   generate a “Challenge” univocally associated with a user to be        authenticated;    -   processing the “Challenge” to generate an expected answer code,        to be compared to an answer code that the user has to furnish        for his/her authentication;    -   encoding the generated “Challenge” for obtaining an image;    -   sending the image containing the “Challenge” to a user's data        processing terminal through a data network;

wherein the user's data processing terminal comprises a display deviceadapted to display to the user the image containing the “Challenge”;

b) a user device equipped with an image-capturing device, adapted tooptically capture the displayed image, the user's device being adaptedin use to process the captured image for extracting from the capturedimage the “Challenge” and to process the “Challenge” to generate ananswer code to be compared to the expected answer code for theauthentication of the user,

wherein one among said actions of generating a “Challenge” andgenerating an expected answer code, and said action of processing thecaptured image to generate the answer code use a secret informationunivocally associated with the user.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and the advantages of the present invention will be madeapparent by the following detailed description of some possibleembodiments thereof, provided merely by way of non-limitative examples,description that will be conducted making reference to the attacheddrawings, wherein:

FIG. 1 schematically shows a logical model of an authentication systemadapted to implement an authentication method according to an embodimentof the present invention, with represented the main constituent elementsand the respective interactions;

FIG. 2 schematically shows a first implementation mode of anauthentication method according to an embodiment of the presentinvention, hereinafter also defined “symmetrical mode”;

FIG. 3 schematically shows a second implementation mode of anauthentication method according to an embodiment of the presentinvention, hereinafter also defined “asymmetrical mode”;

FIG. 4 schematically shows, in terms of the main operations performed bythe different players and of the information exchanged among them, apossible application of the asymmetrical authentication mode, accordingto an embodiment of the present invention;

FIG. 5 schematically shows, in terms of the main operations performed bythe different players and of the information exchanged among them,another possible application of the asymmetrical authentication mode,according to an embodiment of the present invention;

FIG. 6 schematically shows, in terms of the main operations performed bythe different players and of the information exchanged among them, apossible application of the symmetrical authentication mode, accordingto an embodiment of the present invention;

FIG. 7 schematically show, in terms of the main operations performed bythe different players and of the information exchanged among them, stillanother possible application of the asymmetrical authentication mode,according to an embodiment of the present invention;

FIG. 8A shows a possible aspect of an electronic mail message receivedby the user, in a further possible application of the authenticationmethod according to an embodiment of the present invention;

FIG. 8B shows a possible aspect of an attachment to the electronic mailmessage of FIG. 8A, in PDF format, containing confidential informationand a link to an Internet site through which on-line services areoffered;

FIG. 9 schematizes a process of local verification of the authenticityof the electronic mail message of FIG. 8A.

DETAILED DESCRIPTION OF SOME EMBODIMENTS OF THE INVENTION

With reference to the drawings, in FIG. 1 there is schematically shown alogical model of an authentication system 100 according to an embodimentof the present invention, with represented the main constituent elementsand the respective interactions.

In the figure, reference 105 identifies an authentication server, atwhich the users, for instance the user denoted with the reference 110 inthe figure, having a personal computer or user terminal 115 connected toa data network 120 like for instance the Internet, a company's intranet,an extranet, has to authenticate to be able to enter and enjoy theservices made available by the authentication server 105 itself, or, ingeneral, by one or more other servers (not shown in the figure), whichrely on the services offered by the authentication server 105 for theauthentication of their own users that request to exploit the servicesoffered by such other servers. The user terminal 115 can be aconventional Personal Computer (PC), fixed or portable, or any otherdata processing device.

Each time the user 110 wants to be authenticated at the authenticationserver 105, the latter, after having received the authentication requestfrom the user terminal 115 through the data network 120, sendsauthentication information to the terminal 115 of the user 110, throughthe data network 120.

The authentication information is firstly generated by theauthentication server 105 by means of a generation algorithm 123, andthen it is processed by a suitable processing algorithm 125; the resultof the processing of the authentication information is stored on amemory support 130, for instance a file or a database on a non-volatilesupport, as a result expected as an answer from the user 110;preferably, a respective limited temporal validity is associated withsuch expected result (as schematically depicted in the figure by theclock 135 associated with the memory support 130).

Subsequently, the authentication server 105 encodes in graphic form theauthentication information previously generated, by means of an imageprocessing algorithm 140.

Authentication information 145 encoded in graphic form is thus obtained,that is sent by the authentication server 105 to the terminal 115 of theuser 110, through the data network 120. Such authentication information145 constitutes the graphic “Challenge” that will be received by theuser 110 on his/her own terminal 115.

Once received by the user terminal 115, the authentication informationencoded in graphic form, i.e. the graphic “Challenge”, is presented tothe user 110 as an image, for instance on a display device 147 like ascreen or monitor of the computer 115, and/or possibly printed on apaper support by means of a printer (not shown).

The user 110 possesses a device 150, preferably a portable device likefor instance a cellular phone, a “smartphone”, a PDA (“Personal DigitalAssistant”) or similar device, equipped with an optical image-capturingdevice 155, for instance a digital camera or a camcorder, capable ofcapturing the image displayed by the user terminal 115 (or printed onthe paper support), without the need of any physical contact/data linkbetween the portable device 150 and the user terminal 115.

After having captured the image, the portable device 150, by means of asuitable software preinstalled on it and that, when executed, is atleast partially loaded in a working memory 160 of the portable device150, performs a digital processing of the captured image. Particularly,through an image processing algorithm 165, the graphic “Challenge” isextracted from the captured image and decoded. The information containedin the extracted and decoded graphic “Challenge” is then processed by aprocessing algorithm 170, capable of providing to the user 110, througha video and/or audio interface 175 present in the portable device 150,information, derived from the content of the processed graphic“Challenge”, that the user 110 will have to return to the authenticationserver 105 to be authenticated.

Using the terminal 115, the user 110 communicates to the authenticationserver 105 the video and/or audio information provided thereto byhis/her own portable device 150; such information that the usercommunicates to the authentication server 105 forms the “Response” 180to the received “Challenge” 145.

The authentication server 105, having received from the user 110 the“Response” 180 through the data network 120, by means of a comparisonalgorithm 185 compares the information received by the user with whatpreviously stored on the memory support 130 as expected result,analyzing in particular the temporal validity and the content of it. Ifthe verification has positive result, the authentication server 105communicates to the user (through the data network 120 and the terminal115) that he/she has been “approved” and authenticated, otherwise theverification failure is preferably communicated to the user. Preferably,after a predetermined number, for instance three, of consecutive failedattempts of authentication, the user 110 is not accepted by the systemanymore; the authentication server 105 can possibly disable the user110, so as to prevent further attempts of authentication; to bere-enabled, the user will for instance have to contact a help desk.

In the following of the present description, two possible implementationmodes of the authentication method presented above will be described: afirst mode, that will be called “symmetrical”, and a second mode, thatwill be called “asymmetrical”. Shortly, the symmetrical mode providesthat the processing algorithm 125 used by the authentication server 105and the processing algorithm 170 used by the portable device 150 of theuser 110 are substantially identical, while the asymmetrical modeprovides that the two processing algorithms are different.

Symmetrical Mode

In FIG. 2 there is schematically shown, in terms of the main operationsperformed by the different players and of the information exchangedamong them, the symmetrical mode of implementation of the authenticationmethod according to an embodiment of the present invention.

The user 110 that desires to exploit the authentication services madeavailable by the authentication server 105 preliminarily has tosubscribe to such services. At the subscription, a profile of the user110 is created on the authentication server 105, and univocalidentification code User_ID and an encryption key K are associatedtherewith; the identification code User_ID and the encryption key K arethen also installed on the portable device 150 of the user 110. Theidentification code User_ID can be configured by the user, or preferablyby an administrator upon request by the user, directly on theauthentication server 105. The encryption key K can be provisioned tothe user in different ways and it is preferably protected through anencryption algorithm, so that for its use the user will have to enter anunblocking code known only to him/her. In particular, the encryption keyK can be provisioned to the user via SMS (Short Message Service) sent toa cellular phone of the user and intercepted by software installed onthe cellular phone, or the encryption key K can be integrated in aninstallation package provided to the user at the subscription of theservice. Another possibility consists in an optical capture of theencryption key K, in a way similar to that described before for thecapturing of the “Challenge” 145 (in this case, the software installedon the portable device 150 of the user has personal but provisionalencryption key, to be used only the first time for the installation ofthe encryption key K that will subsequently be used). A furtherpossibility provides that the encryption key K is pre-installed on theportable device 150 of the user or on the SIM (Subscriber IdentityModule) provisioned to the user by an operator of a mobile telephonynetwork. Combinations of the preceding methods are also possible: forinstance, the first installation of the encryption key K can take placethrough dispatch of an SMS message, and if, during the time, theencryption key K need to be replaced, this can be done via opticalcapture, or the encryption key K, initially installed through theinstallation package, can subsequently be replaced via optical capture.The user can also have more than one encryption key installed, thedifferent encryption keys being used for different authenticationservices (for instance, two or more of the authentication services thatwill be described hereinafter).

The process of authentication of the user 110 starts with an explicitauthentication request submitted by the user 110, who, declaring his/herown identity to the authentication server 105, for instance usinghis/her own personal identification code User_ID, triggers theauthentication process. In an embodiment of the present invention, theauthentication process evolves as described herebelow. The variousphases that will be described are identified by respective referencenumerals in the drawing.

Phase 205. Using a suitable, hardware or software generator,schematically represented by the block 123 in FIG. 1, the authenticationserver 105 generates a “Challenge” CLG; this latter can be for instanceconstituted by a random sequence of bits, for instance at least 128 bitslong (however, the length of the sequence forming the “Challenge” CLG isnot limitative for the purposes of the present invention). The generator123 of the “Challenge” CLG can for instance use a generation algorithmof random sequences of bits complying with the directive NIST FIPS Pub140-2.

Phase 210. The authentication server 105 then proceeds to encrypting the“Challenge” CLG thus generated with an encryption algorithm, forinstance a symmetric key algorithm, such as an algorithm complying tothe standard AES (Advanced Encryption Standard), using the encryptionkey K associated with the user 110 identified by the personalidentification code User_ID that the user 105 has provided to theauthentication server with the authentication request. An encryptedrandom sequence of bits ECLG (Encrypted CLG) is thus obtained, forinstance 128 bits long.

Phase 215. The authentication server 105, through a suitable algorithm,schematically represented by the block 125 in FIG. 1, transforms theencrypted random sequence of bits ECLG into a textual string AECLG (forinstance according to the ASCII code), of predetermined length (forinstance of 10 characters). Preferably, an alphabet is used such as toguarantee that the textual string AECLG thus obtained is univocallyrepresentative of the encrypted random sequence of bits ECLG, it can beentered by the user using conventional data input devices (keyboard,mouse) of which a computer is normally equipped, and it does not containambiguities on the characters (for instance, the textual string AECLGpreferably does not at the same time contain the characters “o”, “O”,“0” or “i”, “I”, “L”). The alphabet can have any cardinality, and cancontain any alphanumeric character (for instance a . . . z, A . . . Z, 0. . . 9, !″£$ %éèàçà@ù).

Particularly, to transform a random sequence of mutually independentbits and uniformly distributed into a correspondent textual string, adecimation algorithm can be used. The obtained textual string isconstituted by a succession of symbols, derived from the random sequenceof bits, which also satisfy the requirement of independence and uniformdistribution. Later on, an example of an algorithm will be describedthat, starting from such a random sequence of bit, is able to derivetherefrom a textual string that is constituted of symbols belonging to aconfigurable alphabet (numerical or alphanumeric) and of configurablelength.

Phase 220. Preferably, the authentication server 105 sets a temporalterm of validity of the textual string AECLG, defined as the maximumtime within the authentication server 105 waits for the user 110 toreturn his/her answer, that is the verification “Response” (forinstance, the term of validity can be of some minutes, e.g. 2 minutes).

Phase 225. The authentication server 105 stores the string AECLG and,where provided for, the temporal term of validity associated thereto ina local file (shown schematically in FIG. 1 by the block 130), waitingfor them to be compared to the “Response” received by the user.

Phase 230. The authentication server 105 then encodes the binary randomsequence forming the “Challenge” CLG into characters, for instance usingthe Base64 format, obtaining an encoded string B64CLG. In alternative,to reduce the number of characters to be graphically encoded, it ispossible to use a coding method that consists in converting the binaryrandom sequence CLG into a sequence of Bytes, and then transforming thehexadecimal value of every Byte of the sequence into characters,according to the alphabet (0 . . . 9 to . . . F). For instance, thesequence of bits “10101010” is encoded into “AA”; in this way, a binarysequence of 128 bits is encoded into a sequence of 32 characters.

Phase 235. The authentication server 105 then uses the string B64CLG forthe generation of suitable graphics, which, through the data network120, is sent to the terminal 115 of the user 110.

Phase 240. After having sent to the authentication server 105 theauthentication request, the user 110 activates on his/her own portabledevice 150 a suitable application, previously installed on the portabledevice 150 (for instance in the phase of subscription to the servicesoffered by the authentication server 105) capable of optically capturingthe graphic “Challenge” 145 received by the authentication server 105;preferably, the application is protected by a start PIN (PersonalIdentification Number), that allows accessing the encryption key K ofthe user, maintained in encrypted way on the terminal.

Phase 245. Through its graphic interface, the user terminal 115 displayson its screen to the user 110 an image containing the graphic“Challenge” 145 received; through the portable device 150, the user 110captures the displayed graphic “Challenge”, for instance taking aphotograph of the image of the screen 147 of the terminal 115 on whichthe graphic “Challenge” is displayed. In alternative to the display onthe screen 147 of the terminal 115, the printout of the image on a papersupport can be foreseen.

Phase 250. A suitable application (schematically represented by theblock 165 in FIG. 1) resident on the portable device 150 of the user 110analyzes and extracts from the photographed image the string B64CLG.

Phase 255. The application 165 on the portable device 150 then convertsthe string B64CLG (encoded with B64 or other coding, for instance thehexadecimal coding previously described) into the binary sequence CLG.

Phase 260. The processing algorithm 170 on the portable device 150 thenencrypts the binary sequence CLG using the encryption key K of the user110 (in alternative to the encryption key resident K on the portabledevice 150, it is also possible to use as encryption key the PIN used tostart the displaying application resident on the user terminal 115),with an algorithm identical to that used by the authentication server105, obtaining an encrypted sequence ECLG, for instance 128 bits long.

Phase 265. The encrypted sequence ECLG thus obtained is then transformedby the processing algorithm 170 on the portable device 150 into atextual string AECLG, using the same methodology and alphabet used bythe authentication server 105 and described previously.

Phase 270. The string AECLG thus obtained is displayed to the user 110on a screen, or vocally announced through a loudspeaker of the portabledevice 150.

Phase 275. The user 110, using the terminal 115, for instance throughthe keyboard, enters the string AECLG communicated thereto by theportable device 150, and the entered string AECLG is communicatedthrough the data network 120 to the authentication server 105 togetherwith the personal identification code User-ID of the user. Inalternative to the use of the keyboard, the user 110 can use the mouseof his/her terminal 115, or it is possible to exploit a directcommunication among the portable device 150 and the user terminal 115,for instance exploiting BlueTooth or NFC (Near Field Communication)technology.

Phase 280. The authentication server 105, after receiving from the userterminal 115 the string AECLG, forming the “Response” 180, and using asa reference the personal identification code User-ID of the user 110,through the algorithm 185 ascertains:

-   -   whether the user identified by the personal identification code        User-ID had previously requested to be authenticated;    -   the temporal validity of the answer from the user 110, in other        words whether the answer arrived within the time interval set by        the authentication server 105 upon generating the “Challenge”;        and    -   the correctness of the string AECLG received from the user 110,        by comparison with the value previously stored in association        with that personal identification code User-ID.

Phase 285. If the result of the above checks is positive, theauthentication server 105 can for instance:

-   -   remove the value AECLG stored in the memory support 130, to        prevent any subsequent attempt of reusing the same “Challenge”;        and    -   send or redirect the user 110 to a “welcome page”, to evidence        the occurred authentication of the user 110.

In case one or more of the above checks did not have positive result,the authentication server 105 can for instance:

-   -   remove the value AECLG stored in the memory support 130, to        prevent any subsequent attempt of reusing the same “Challenge”;        and    -   send or redirect the user to an “error page” that invites        him/her to repeat the authentication process from the beginning.

At each authentication attempt failed, the authentication server canincrease a failures counter; at the third consecutive failure, the user110 can be disabled by the authentication server 105; once disabled, theuser 110 cannot start the authentication process anymore (without beingpreliminarily re-enabled by the authentication server).

Phase 290. The application resident on the portable device 150 canautomatically terminate, after the lapse of a predetermined timeinterval, for instance one minute, from having communicated to the userthe value to be returned to the authentication server 105. The user 110may also immediately terminate such application manually, possibly afterhaving been redirected to the “welcome page.”

Herebelow an example is described of an algorithm that, starting from asequence of bits, particularly a random sequence, is able to derivetherefrom a textual string that is constituted by symbols belonging to aconfigurable alphabet (numerical or alphanumeric) and of configurablelength.

Let L be the length of the textual string that should be obtained, letS={s0, . . . , sM} be the alphabet of the symbols that will form thestring, and let M=∥S∥ be the cardinality of the alphabet S.

From the random sequence of bits generated by the (hardware or software)generator 123, T blocks I₀, I₁, . . . , I_(T) are selected, each onemade up of B bits. The parameter B can be selected according to thefollowing rule:

$B = \left\{ \begin{matrix}{\log_{2}M} & {{if}\mspace{14mu} M\mspace{14mu}{is}\mspace{14mu} a\mspace{14mu}{power}\mspace{14mu}{of}\mspace{14mu} 2} \\{\left\lbrack {\log_{2}M} \right\rbrack + 1} & {otherwise}\end{matrix} \right.$

From each one of the T blocks of bits I₀, I₁, . . . , I_(T) theassociated decimal digit I₀, I₁, . . . , is obtained, which is used asan index to select the symbol from the alphabet S; for the generic, M-thblock of bits, the associated decimal digit is I_(M). Starting from thisindex, the related symbol s_(Im) is obtained, applying following rule:

$s_{I_{m}} = \left\{ \begin{matrix}{{{S\left\lbrack I_{m} \right\rbrack}\mspace{14mu}{if}\mspace{14mu} I_{m}} < M} \\{{otherwise}\mspace{14mu}{next}\mspace{14mu}{block}}\end{matrix} \right.$

This algorithm has a rate of loss of bits P equal to P=(2^(B)−M). Incase the alphabet of symbols has a cardinality equal to a power of two,that is M≡2^(B), there is no loss of bits, otherwise there will be anumber P of unused bits. To reduce the number P of unused bits, theblocks of bits can be selected so as to obtain blocks of symbols oroverlapping blocks.

The algorithm performs a decimation scanning the bits of every block ofbits T into which the sequence of bits to be transformed into a textualstring is partitioned first from the left to the right, and subsequentlyfrom the right to the left; in this way, the length in bits of eachblock T is virtually increased, and the rate of loss P is reduced. Incase at the end of the scanning from the left to the right and from theright to left the algorithm did not converge, i.e. it was not possibleto find a sequence of symbols of the desired length L, activities can beperformed directed to find the remaining bits, restarting to read thebits of the generic block T from the to the right using one or both thestrategies described hereinafter.

a) Calculation of the Modulus

The B bits read from the generic block T are “mapped” with respect tothe selected alphabet using the rule of the modulus:s _(I) _(m) =S[mod_(M)(I _(m))]b) Reduction of the Value of B

The number of bits read from the generic block T is reduced by one, soas to increase the probability to get a numerical value capable ofindexing a symbol of the used alphabet. The calculation of B can be thefollowing:

$K = \left\{ \begin{matrix}{\left( {\log_{2}M} \right) - 1} & {{if}\mspace{14mu} M\mspace{14mu}{is}\mspace{14mu} a\mspace{14mu}{power}\mspace{14mu}{of}\mspace{14mu} 2} \\\left\lbrack {\log_{2}M} \right\rbrack & {otherwise}\end{matrix} \right.$

Another possible algorithm that can be used for transforming the randomsequence of bit constituting the “Challenge” CLG into a textual stringprovides, the characteristics and the modalities of calculation of thequantities L, S, M and B described above, to obtain a sequence ofcharacters of default length L performing only one scan of the blocks ofbit, from the left to the right.

The following variables are defined:

Q=number of bits constituting the initial random sequence of bits (i.e.the “Challenge” CLG);

W=maximum number of possible attempts of mapping of the random sequenceof bits into the textual string, that is W=Q/B;

Y=number of performed mapping attempts; and

Z=number of symbols of the textual string of length L remaining to bemapped.

Using the index I_(m) calculated as previously described, thecorresponding symbol s_(Im) is obtained according to the following rule:

$s_{I_{m}} = \left\{ \begin{matrix}{S\left\lbrack I_{m} \right\rbrack} & {{{if}\mspace{14mu} I_{m}} < M} \\{{Next}\mspace{14mu} K\mspace{14mu}{Bits}} & {{{if}\mspace{14mu} Z} > \left( {W - Y} \right)} \\{S\left\lbrack {{mod}_{M}\left( I_{m} \right)} \right\rbrack} & {{{if}\mspace{14mu} Z} \equiv {\left( {W - Y} \right).}}\end{matrix} \right.$

Concerning the encryption algorithm used by the authentication server105 and the portable device 150 of the user 110, it can possibly bereplaced by a data authentication algorithm of the HMAC (Hashed MessageAuthentication Code) type, with SHA-1 (Secure Hash Algorithm 1) hashmechanism type, that also generates as a result a string being afunction of the encryption key K of the user 110.

As known to those skilled in the art, HMAC is a non-reversible algorithmfor the authentication of messages based on a hash function. By means ofHMAC it is possible to guarantee both the integrity and the authenticityof a message. The algorithm HMAC uses a combination of the originalmessage and of a secret key for the generation of the code. Apeculiarity of the HMAC algorithm is that it is not linked to aparticular hash function, and this with the purpose of allowing thereplacement of the used hash function in case it is discovered to beweak. In the following table, some examples of calculation that exploitHMAC type SHA1 are reported.

Row Data Key Result of the calculation of HMAC with HASH type SHA1 1 1 15b0c157d4e7672444c41033561554839ed1fd2d6 2 1 marcoa9774f9c88cc84c691ca7aaf5cf42d4f58e20ad3 3 123456789 mirco404b5c7716cfe6adda7c9be1a4e0611349b99fb3 4 123456 mircocaca41a07de234932f29f92e0876672f39ebdce4 5 123456 marco73c90c08d7e5996a331fe89e3bd3d011068a9d28 6 789012 marco5e52768fde27503da90915a2f9d8beab1a888da0 7 789012 mirco510e7397ee2711be94f0ecc69a6675ab11d813d6 8 Mirco 7890129e81045405f727544ad4fb38da573f96f56c6426

It can be appreciated that, in the considered example, the result isalways a string of length equal to 40 characters, independently of thedata size and of the key (rows from 1 to 8); it is also possible to notethat the function always returns a different value for the same data totransfer, as the key changes (rows from 4 to 7).

In a practical implementation of the present invention, the user ispreferably not asked to enter on the keyboard of his/her own terminal115 all the 40 characters generated by the hash function, but rather alower number of characters such that it is possible to assess thecorrectness of the generated hash. It has been demonstrated (see thedocument RFC4635) that the function MAC type SHA1 already containscharacteristics of uniqueness of the information in the first 96 bits,or rather the first 12 bytes, and thus in the first 12 characters codedin ASCII UNICODE Standard. Such mechanism is for instance used in “IPSECEncapsulating Security Payload” and described in the document RFC 2404.IPSEC (IP SECurity) is a standard applied for achieving secureconnections on networks with IP (Internet Protocol) communicationprotocol, and the protocol “Encapsulating Security Payload” (known withthe acronym ESP) belongs to the suite of protocols IPSEC and has theobjective of providing confidentiality and control of integrity andauthenticity to the IPSEC communication using the described hashmechanism.

In a practical implementation of the present invention, in view of thefact that the “Challenge” CLG is a random sequence of bits, that, due tothe random character, it is practically impossible to generate more thanonce a same sequence, that a generic random sequence of bits ispreferably valid only for limited time, and of the fact that analgorithm of secure MAC like the SHA1 is used, it is possible to furtherreduce, for instance from 12 to 8, the number of characters that theuser has to enter (these characters are highlighted in the precedingtable as underlined) without substantially altering the security levelof the general methodology.

It can be appreciated that the translation performed to generate thestring AECLG is made on the encrypted “Challenge” ECLG, i.e. on thevalue resulting from the encryption operation of the binary “Challenge”CLG.

In the symmetrical implementation mode of the method according to theembodiment of the present invention here described, the graphic“Challenge” 145 generated and sent by the authentication server 105,displayed by the user terminal 115 and captured by the portable device150, can be defined as “in clear”, since the coding performed forobtaining the string B64CLG is done on the original binary sequence CLG.

For the coding/decoding of the graphic “Challenge” several technologiesof representation in two dimensions (2D) can be used, for instancebarcodes, particularly, although not limited to, the technologiesDataMatrix, PDF417, QR-tails, Aztec Code, MaxiCode, already commerciallyavailable at low cost.

Asymmetrical Mode

In FIG. 3 there is schematically shown, in terms of the main operationsperformed by the different players and of the information exchangedamong them, the asymmetrical mode of implementation of theauthentication method. The asymmetrical mode differs from thesymmetrical mode only in some phases of the authentication process (thesame considerations made in the description of the symmetrical modeconcerning the lengths of the sequences of bits, of the strings, theirgeneration, the usable alphabet for the textual strings and so onapply).

As in the symmetrical mode, the process of authentication of the user110 starts with an explicit authentication request submitted by the user110 who, declaring his/her own identity to the authentication server105, for instance using his/her own personal identification codeUser_ID, triggers the authentication process. Such process evolves asdescribed herebelow.

Phase 305. As in the symmetrical mode, using a suitable generator,hardware or software, the authentication server 105 generates the“Challenge” CLG.

Phase 310. As in the symmetrical mode, the authentication server 105then encrypts the sequence of bits making up the “Challenge” CLG thusgenerated with an encryption algorithm, for instance a symmetrical keyalgorithm, like the AES, using the encryption key K associated with theuser 110 identified by the personal identification code User_ID that theuser has provided to the authentication server with the authenticationrequest. An encrypted sequence ECLG is thus obtained.

Phase 315. The authentication server 105 transforms the binary sequenceCLG forming the “Challenge” into a textual string ACLG of pre-determinedlength (for instance 10 characters), preferably using an alphabet withcharacteristics similar to those described in connection with thesymmetrical mode (thus, differently from the symmetrical mode, it is therandom sequence CLG “in clear”, not the encrypted sequence ECLG, that istransformed into the textual string ACLG).

Phase 320. Preferably, the authentication server 105 establishes atemporal term of validity of the textual string ACLG, defined as themaximum time within which the authentication server waits for the user110 to return its answer thereto, that is the verification “Response”(also in this case, the term of validity can be for instance of someminutes, for instance 2 minutes).

Phase 325. The textual “Challenge” ACLG and the associated temporal termof validity are stored in a file (130 in FIG. 1) of the authenticationserver 105, waiting to be verified.

Phase 330. The encrypted binary sequence ECLG is encoded intocharacters, for instance in the Base64 format or other coding, asdescribed in connection with the symmetrical mode, obtaining a stringB64ECLG.

Phase 335. Similarly to the symmetrical mode (but using the textualstring derived from the encrypted sequence ECLG, instead of the sequence“in clear” CLG), the string B64ECLG is used by the authentication server105 for the generation of a suitable graphic “Challenge” 145, that issent through the data network 120 to the terminal 115 of the user 110.

Phase 340. As in the symmetrical mode, the user 110 starts on his/herown portable device 150 a suitable application.

Phase 345. As in the symmetrical mode, through its graphic interface,the user terminal 115 displays on its screen to the user 110 an imagecontaining the received graphic “Challenge” 145; through the portabledevice 150 the user 110 captures the image containing the graphic“Challenge”, for instance he/she takes a photograph of the displayedimage containing the graphic “Challenge”. In alternative to the displayon the screen of the terminal 115, a printout of the image on a papersupport can be provided for.

Phase 350. The application 165 resident on the portable device 150analyzes and extracts from the photographed image the string B64ECLG.

Phase 355. The application 165 on the portable device 150 converts thestring B64ECLG into the binary encrypted sequence ECLG.

Phase 360. The processing algorithm 170 on the portable device 150decrypts the encrypted binary sequence ECLG using the encryption key Kof the user (in alternative to the key K resident on the terminal it isalso possible to use as encryption key the PIN used for starting theapplication on the terminal 115), with an algorithm identical to thatused by the authentication server 105, obtaining a binary sequence CLG.

Phase 365. The portable device 150 transforms the binary sequence CLGinto a textual string ACLG, using the same methodology and alphabet usedby the authentication server 105.

Phase 370. Similarly to the symmetrical mode, the string AECLG thusobtained is displayed or vocally announced by the portable device 150 tothe user 110.

Phase 375. Similarly to the symmetrical mode, the user 110 communicates105 to the authentication server his/her personal identification codeUser-ID and the value of the textual string ACLG.

Phase 380. Similarly to the symmetrical mode, the authentication server105, after receiving from the user terminal 115 the string ACLG andusing as a reference the personal identification code User-ID of theuser 110 assesses:

-   -   whether the user identified by the personal identification code        User-ID had previously requested to be authenticated;    -   the temporal validity of the answer from the user 110, in other        words whether the answer arrived within the set time interval;    -   the correctness of the string ACLG received from the user 110,        by comparison with the value previously stored in association        with that personal identification code User-ID.

Phase 385. Similarly to the symmetrical mode, if the result of the abovechecks is positive, the authentication server 105 can for instance:

-   -   remove the value ACLG stored in the support 130, to prevent any        subsequent attempt of reusing the same “Challenge”;    -   send or redirect the user 110 to a “welcome page”, to evidence        the occurred authentication of the user 110.

In case one or more of the checks fails, the authentication server 105can for instance:

-   -   remove the value ACLG stored in the support 130, to prevent any        subsequent attempt of reusing the same “Challenge”;    -   send or redirect the user to an “error page” that invites        him/her to repeat the authentication process from the beginning.

At every attempt of authentication failed, the authentication server canincrease a failures counter; at the third consecutive failure, the user110 can be disabled by the authentication server 105; once disabled, theuser 110 cannot start the authentication process anymore withoutpreliminarily having been re-enabled.

Phase 390. The application resident on the portable device 150 canautomatically terminate, lapsed a pre-determined time, for instance oneminute, from having communicated to the user the value to be returned tothe authentication server 105. The user 110 can also immediatelyterminate the application manually, possibly after having beenredirected to the “welcome page.”

It is pointed out that the encryption algorithm used by theauthentication server 105 can be arbitrary, provided that it iscongruent with that available on the portable device 150 of the user.

It is possible to appreciate that, differently from the symmetricalmode, in the asymmetrical mode the translation performed with thepurpose of generating the verification element ACLG is directlyperformed on the value of the binary “Challenge” CLG obtained bydecrypting the encrypted sequence ECLG. The graphic “Challenge” 145generated or interpreted can be defined as sent “not in clear” orencrypted, since the encoding performed for obtaining the string B64ECLGis done on the encrypted binary sequence ECLG.

As in the case of the symmetrical mode, for the graphic coding/decodingdifferent technologies of representation of barcode can be used whichare already commercially available at low cost.

The authentication method according to the embodiments of the presentinvention has several advantages.

An advantage of the authentication method according to the presentinvention is that, for the acquisition of the authentication informationsent by the authentication server, no physical contact is necessary withthe user terminal 115 (there are no cables, radio connections or dataexchange interfaces) for the acquisition of the authenticationinformation sent by the authentication server: the acquisition is of theoptical type, and there is no risk of compromising from the securityviewpoint.

Another advantage is that on the data network 120 never transits enoughinformation to be able to reconstruct, starting from the data possiblyintercepted, the information content adapted to allow a “reverseengineering” or a “dictionary attack” with the purpose of calculating orfinding the encryption key K of the user.

Still another advantage is that the purchase of ad-hoc devices is notrequired, but rather the simple use of a device, for instance portable,equipped with an image-capturing device, for instance a camera, like acellular phone, a PDA, etc.; such devices are today already diffused onthe market and at the reach of almost all the users.

A further advantage is that although devices can be used like cellularphones and smartphones, the coverage by a mobile telephony network isnot required: it is enough to exploit the image capturingfunctionalities offered by such devices.

The coding of the “Challenge” can be encrypted for protecting theinformation against tampering during the transport on the network, ornot encrypted, but protected by coding with a non-reversible HMACalgorithm.

The graphic coding of the “Challenge”, in general, cannot be tamperedwithout the complete invalidation of the transported content; thisrepresents an intrinsic security element.

Moreover, as already mentioned, for the graphic coding varioustechnologies of representation already available on the market at lowcost can be used.

The encryption keys and the cryptography and/or MAC algorithms can befreely chosen. Such keys can be managed both by a mobile telephonyoperator in cooperation with the provider of the service, or directly bythe latter. In other words, a generic provider of on-line services can,for the authentication of its subscribers, both rely on a specificauthentication service made available by a provider of authenticationservices, and use a completely autonomous solution in which theauthentication server is directly managed by the provider of on-lineservices.

As described previously, the keys of the encryption and/or MACalgorithms can be for instance distributed, at the subscription of theauthentication service of, in optical mode, photographing, always withthe portable device 150, suitable graphics that does not contain a“Challenge” but the encryption key of the user, or Over-The-Air (OTA),via applicable SMS messages, and they can reside on a smartcard that canbe associated with the portable device 150, for instance on the SIM(Subscriber Identification Module) card of the cellular phone.

The graphic “Challenge” 145 sent to the user can contain, in addition tothe information necessary for the authentication, also other types ofinformation, like for instance the summary of a transaction, a passwordor a verification code or advertisement messages.

The image processing software for the extraction of the “Challenge” fromthe captured image can be designed for different types of cellular phoneand palmtops equipped with camera (for instance based on Symbian,WindowsMobile, Java Device platforms).

In the following of the description some examples of application of theauthentication method according to the present invention will bepresented.

In FIG. 4 there is schematically shown, in terms of the main operationsperformed by the different players and of the information exchangedamong them, a possible application of the authentication methodaccording to an embodiment of the present invention, for the access to aWeb application.

Particularly, the practical application that will now be discussed usesthe asymmetrical mode described previously with reference to FIG. 3. Thevarious phases of the authentication process are therefore thosedescribed in connection with the asymmetrical mode, to which referenceis made, and will not be described again. However, nothing prevents fromadopting the symmetrical mode.

The user Bob has a PIN, that never transits on the data network 120, andthat can have the function both of symmetrical key for the encryptionand decryption of the “Challenge” received by the authentication server105, and of making accessible the user's encryption key K during theactivation of the application on the portable device 150, for instancethe cellular phone of the user Bob.

The user Bob can insert his/her PIN on the portable device 150 whilehe/she is in a secure location, before activating the authenticationprocess.

The PIN can be provided to the user Bob at the subscription of theauthentication service, both on a paper or electronic support, or by athird party, for instance by the mobile telephony operator of which theuser Bob is a subscriber.

At the successful completion the authentication process, the user Bobcan access the desired Web service.

The authentication method can be used for accessing more services, likefor instance Internet banking services, access to an intranet, tradingservices, each of which uses a specific PIN, without the necessity ofany change at the authentication server side or at the software on thecellular phone of the user Bob.

In FIG. 5 there is schematically shown, in terms of the main operationsperformed by the different players and of the information exchangedamong them, a possible application of the authentication methodaccording to an embodiment of the present invention for an “on-line”service that allows the user to impart dispositions involving thedisbursement of sums of money, like for instance a bank draft, or apurchase of good or services. Particularly, in this practicalapplication the method according to the invention is exploited forproviding a countermeasure against attacks of the type “Man In TheMiddle” during a disposition operation.

The practical application considered in FIG. 5 uses the asymmetricalmode described in precedence. The various phases of the authenticationprocess are therefore those described in connection with theasymmetrical mode, to which reference is made, and they will not bedescribed again. However, nothing prevents from adopting the symmetricalmode.

In phase 305, the authentication server 105, for instance of the bank ofthe user Bob, generates a summary SUM of the transaction (e.g. involvinga bank draft), and such summary SUM contains the “Challenge” CLG (randomsequence of bits) to be used for the authentication/verify of theauthenticity of the imparted disposition. The summary of the transactionSUM is encrypted by the authentication server 105 using the encryptionkey K of Bob, the encrypted summary ESUM is encoded transforming it intoa textual string B64ESUM and the string B64ESUM is transformed intographic form (bidimensional barcode) and sent to the terminal (forinstance a Personal Computer) of Bob. In the phase 365, the applicationon the cellular phone 150 of Bob extracts the “Challenge” CLG from thesummary, and in the phase 370, through the cellular phone, the summarySUM of the transaction and the “Challenge” CLG are presented to Bob.

An attacker capable of interposing between the user Bob and theauthentication server 105 of the bank of the user Bob could be able toalter the information that the user Bob sends to the authenticationserver 105; nevertheless, thanks to the fact that the informationcontained in the “Challenge” are sent to the user Bob together with thesummary of the transaction, it is possible to guarantee an increasedsecurity level.

The attacker, even if able to alter the information sent by the user, isnevertheless not in condition of altering the synthetic information ofthe transaction contained in the graphic “Challenge” sent by, theauthentication server to the user, because this is encrypted.

The user can immediately realize if the information received by theauthentication server 105 differs from that he/she has entered (forinstance, in the case of a bank draft, a different beneficiary, and/or adifferent amount of money), and therefore he/she can deny thetransaction confirmation, sending a wrong or agreed verification code,for instance the digits “0000000.”

In order to confirm the transaction, the user has to re-send to theauthentication server 105 the “Response” generated starting from thereceived “Challenge”; in this way, the confirmation of the transactionis protected by a univocal verification code. This strategy allowsavoiding the re-use thereof by an attacker who can monitor a certainnumber of transactions that the user successfully concluded sending thecorrect verification code.

It is also possible that, before being able to proceed to sending to theauthentication server a disposition, the user has to authenticatehim/her at the server of his/her bank, using one of the methodologiesdescribed in the foregoing.

In FIG. 6 there is schematically shown, in terms of the main operationsperformed by the various players and of the information exchanged amongthem, a possible application of the authentication method according toan embodiment of the present invention in the context of thedistribution of multimedia contents, particularly digital televisionthrough air or cable, for instance on telephone network (IPTV).

This application of the authentication method according to the inventionis directed to provide a solution capable of increasing the securitylevel in connection with the access and/or the transactions performedusing new services (electronic mail, box-office, surveys, electronicpoll, video on-demand, etc.) offered by DTT and IPTV platforms. Suchplatforms are constituted by a user interface, normally represented by atelevision set, an apparatus installed at home of the user called “SetTop Box” (STB) or decoder by which it is possible to receive the digitalsignal (over the air in the DTT case, over a data line in the case CableTV or by broadband connection for IPTV) to which a telephone line called“return channel” is connected that, through traditional (V.90) or ISDNmodem or through broadband (ADSL) modem, allows the interaction of theuser with a service center.

In this application, the symmetrical mode previously described isexploited, to which reference is made for the detailed description ofthe various phases, and it is assumed to use as verification algorithmthe HMAC instead of the encryption. However, nothing prevents from usingthe asymmetrical mode.

The characteristics and the security level of the proposed solution areanalogous to those of the application related to the access to a Webapplication, because on the STB of the user the standard MHP (MultimediaHome Platform) allows the implementation of interactive applicationswith graphic content as allowed by the HTML and JAVA for the World WideWeb.

In FIG. 7 there is schematically shown, in terms of the main operationsperformed by the various players and of the information exchanged amongthem, a possible application of the authentication method according toan embodiment of the present invention to Automatic Teller Machines(ATMs). Particularly, the example of FIG. 7 relates to the asymmetricalmode previously described.

ATMs are normally installed both near financial institutes (bankoffices, for instance), and in malls, and they allow collecting cash orperform other low-level operations, like inspecting the balance or thebank statement of account. The ATMs represent, for the financialinstitutes, a tool that substantially affects the “customer experience”of their customers. However, bank cards to be used in ATMs are oftenlost or fraudulently subtracted, and this constitutes a problem underthe profile of the security of the system, that contributes tosignificantly increase the risks of fraud.

The problems related to the use of bank cards in ATM terminals areseveral.

The PIN that is requested to the user after having introduced the bankcard into the ATM or POS (Point Of Sale) terminal, even if short, has tobe remembered and kept secret by the user, who however often, tofacilitate his/her duty, writes it down on paper, or hides it within atelephone number in an address book, and in some cases the usercommunicates the PIN to third parties (this is for instance the case ofelder persons who communicate the PIN to relatives, assistants or thelike, whom they think to be trusted persons).

The PIN must manually be introduced by the user on the POS or ATMterminal, and can thus be seen by indiscreet eyes or by means ofmicrocameras.

The bank card stores the PIN internally, and the PIN, even if encrypted,could be subject to “brute force” attacks, for instance through aprogram that forces the opening of a compressed (ZIP) file using all thepossible combinations for the password, until the matching one is found.

The loss of the bank card is an event that involves a problem for theuser and, for the entity that issued it, a series of onerous activitieswith the purpose to block its usage.

The types of frauds inherent to this service are the cloning of the cardusing the “skimmer” technique (duplication of the data contained in thecard and simultaneous capture of the secret code entered by the user),and the capture of the card directly at the terminal (for instancethrough the “crocodile” technique, or by sequestration of the card owneror by pickpocketing).

The authentication method according to an embodiment of the presentinvention can be used in this context, particularly also on POSterminals with colour or monochrome graphic terminal.

Since in this implementation mode the user conventionally has to enter asequence of numbers on the keyboard of the ATM, the dictionary that isused to translate the random sequence of bits that constitutes theoriginal “Challenge” into a string can exclusively use a numericalalphabet, instead of alphanumeric.

According to this possible application of the method according to theinvention, the user does not know a “valid code” to be entered on thekeyboard of the ATM or POS terminal, and does not need to remember it,because such code will be provided thereto at the proper time by his/herportable device, for instance his/her cellular phone.

The PIN used for activating the application on the user's portabledevice the (that could be the same PIN that nowadays has to be enteredon the keyboard of the ATM or POS terminal) can be entered before theoperation, and in a secure place (for instance in the car or away fromthe ATM or POS terminal).

The string of numbers that the user enters on the keyboard of the ATM orPOS terminal is valid for one operation or access to the service only,and cannot be re-used, making therefore its capture useless.

ATM cards no longer stores the PIN of the user, and therefore itsduplication, loss or captures is not critical for the user.

The theft or the loss of the user's portable device does not jeopardizethe security of the system, because for activating and using theresident application a code needs to be entered (for instance the PIN).

Another possible application of the authentication method according toan embodiment of the present invention is related to electronicmessaging services (e-mail).

Particularly, the here considered application is intended to provide asolution capable of increasing the security level of electronic mailservices with the purpose of limiting the “phishing” phenomenon.

The “phishing” is a diffused computer fraud that involves the receptionby the user of an electronic mail message, apparently coming fromhis/her bank or from an on-line commerce company, that invites the userto connect, through an HTML (Hyper Text Markup Language) connection(“hyperlink”), to a web page managed by the “phisher” and apparentlyentirely “similar” to the original of the real firm. Subsequently,inside the imitated web page the user is requested to enter sensitiveinformation (password, credit card number, etc.) to be able to accessthe functionalities required in the electronic mail message (forinstance, the change of personal information, the provision of theconsent to the treatment of the information, the deletion of a financialoperation erroneously assigned to the user, etc.). The informationprovided by the user is captured (stolen) from the “phisher” who willuse it to perform, in the name of the user, undue purchases orfraudulent transactions.

Normally the electronic mail messages, also those sent by banks andfinancial institutes, are not protected, because the electronic mail isoften simply thought to be a communication, and also the users areaccustomed to consider it like this. Often, the protection is onlyrelated to the access to companies' Web sites, for which the user has toinsert his/her credential whose validity is verified only at the accesstime. The user does not have a direct possibility of verifying thevalidity of the sender and the content of the electronic mail message,and he/she does not even have the possibility of verifying the validityof the accessed web page.

The problem therefore exists of protecting the content of electronicmail messages with a simple and effective system. The electronic mailmessage can be protected using the strategy described by way of examplehereinafter.

According to an embodiment of the present invention, hypertext linksusable by the user are not directly included within the text of anelectronic mail message.

All the confidential and sensitive information are put inside a documentattached to the electronic mail message, having a format such as to bemodifiable only by those who created it (for instance, the attacheddocument can be a file in PDF—Portable Document Format—format, protectedagainst changes) and whose readability is protected by a password. Inthe attachment to the electronic mail message it is possible to insert,in addition to the confidential information, also links that allow theuser to reach a Web site like the portal of a bank.

The electronic mail message contains the authentication information ingraphic form (i.e., the graphic “Challenge”) generated by theauthentication server at the time of creation of the electronic mailmessage.

To increase the security level, the graphic authentication “Challenge”can contain additional information related to the attachment, like forinstance a verification code, random parts of the message, date and timeof issue, the answer to a “secret question” that the user has defined atthe subscription of the service.

FIG. 8A shows the possible aspect of an electronic mail message receivedby the user. FIG. 8B shows instead the possible aspect of an attachmentto the electronic mail message, for instance in PDF format, containingthe confidential information and a link to the site of the bank.

FIG. 9 schematizes a process of local verification of the authenticityof the electronic mail message.

The user receives from the sender 905 the electronic mail message 910,and displays it on his/her terminal (for instance, PC) 115, then theuser activates the application on his/her portable device 150 (forinstance the cellular phone), preferably using a PIN; then the usertakes a photograph, with the camera 155 of the cellular phone 150, ofthe image displayed on the screen of the PC 115 and reads the stringdisplayed by the cellular phone 150 (derived by processing of thegraphic “Challenge”, as described in the foregoing), or he/she listensto its vocal declamation at the loudspeaker of the cellular phone.

The user then requests to open the attachment 915 to the electronic mailmessage 910, and the request of insertion of a password 920 is presentedto the user; the user inserts the password previously read on orlistened from the cellular phone 150, so that a resident application onthe PC 115 can display the content of the attachment 915. In this way,entering the correct password, the user is authenticated, and, as aresult of the occurred authentication, he/she can access the informativecontent of the attachment.

Inside the attachment 915 the insertion of one or more links 925 thatallow the user to safely reach the correct Web site is possible.

With the purpose of increasing the general security level of themethodology, the Web site reached by the user through the link presentin the attached document 915 could use in turn an authenticationmechanism based on a graphic “Challenge” and a “Response” from the user,as described in the foregoing. In this case, inside the attachment 915 afurther graphic “Challenge” 930 will be present, from which the user canderive the credentials for accessing the service (password/PIN/ID orUserID and password/PIN).

In this way, all the sensitive information are contained in the fileattached to the electronic mail message, and they are protected by anencrypted OTP (One Time Password) represented in graphic form andcontained in the electronic mail message. The message and the attachmentcan be duplicated, but only for the user to which it is addressed,making therefore useless their re-use because the attachment is notreadable by other users.

The process allows the user to immediately realize if anything issuspicious, as for instance the lack of the graphic “Challenge” or theimpossibility to read it or an enclosure that does not require thepassword or in which the password does not work.

The graphic “Challenge” cannot be imitated, because for its generation,or to derive therefrom the password that the user has to enter foropening the attachment, it is necessary to know the encryption key,shared only between the portable device of the user and the entity thatsends the electronic mail message.

This methodology also allows electronic mail messages on publicterminals and electronic mail services to be read, since the portabledevice of the user is the only device capable of decoding the graphicsand derive the codes for reading the enclosure.

Another possible application of the present invention in the e-mailservices consists in the possibility that an e-mail message is sent tothe user containing a graphic “Challenge”, from which the user canderive, in the described way, a “Response” to be used as an access codeto a Web site from which to get from the message sender a confirmationof the authenticity of the received e-mail message. The address (URL) ofthe Web site to which to connect can be contained in the same graphic“Challenge” and shown to the user by his/her portable device.

The use of the PDF format for the attachment allows making its contentunmodifiable.

Moreover, no radio connectivity is required for the verification of theelectronic mail message.

The present invention has been described here presenting some possibleembodiments; nevertheless, those skilled in the art can make severalchanges to the embodiments described, or devise alternative embodiments,without departing from the scope of protection of the invention definedin the appended claims.

For instance, the Base64-format coding might not be foreseen, forinstance in the case in which the graphics used for encoding the“Challenge” supports the transfer of the information in binary form,that is the coding from hexadecimal to ASCII is made directly by theimage processing algorithm 140 when generating the bidimensionalbarcode.

The invention claimed is:
 1. A method of authentication of users in adata processing system, the method comprising: generating a challengeunivocally associated with a user to be authenticated; processing thechallenge to generate an expected answer code to be compared to ananswer code that the user provides for authentication; encoding thegenerated challenge to obtain an image displayable on a display device;sending the image containing the challenge to the user; displaying theimage containing the challenge on the display device; capturing, by auser device having an image-capturing device, an image of the displayedimage containing the challenge; processing, by the user device, thecaptured image for extracting the challenge from the captured image, andsubsequently processing the extracted challenge for generating theanswer code; receiving the answer code from the user and comparing theanswer code to the expected answer code; and in case of positivecomparison, authenticating the user, wherein one among said actions ofgenerating the challenge and the expected answer code and said action ofprocessing the captured image to generate said answer code exploitsecret information univocally associated with the user.
 2. The method ofclaim 1, wherein said generating the expected answer code includesassociating a time validity limit with the expected answer code, andsaid receiving the answer code from the user and comparing the answercode with the expected answer code includes assessing if the answer codefrom the user is received within said time validity limit.
 3. The methodof claim 1, wherein said generating the challenge comprises generating asubstantially random sequence of bits.
 4. The method of claim 3, whereinsaid generating the challenge comprises encoding the substantiallyrandom sequence of bits into a first string of alphanumeric charactersthat univocally represents the challenge.
 5. The method of claim 4,wherein said encoding the challenge comprises encoding the first stringof alphanumeric characters, and encoding the encoded first string ofalphanumeric characters to obtain the image displayable by the displaydevice.
 6. The method of claim 5, wherein said generating the expectedanswer code includes encrypting the substantially random sequence ofbits with said secret information or calculating a hash of thesubstantially random sequence of bits with said secret information. 7.The method of claim 6, wherein said generating the expected answer codeincludes encoding the encrypted substantially random sequence of bits orthe hash of the substantially random sequence of bits to obtain a secondstring of alphanumeric characters and storing the obtained secondstring.
 8. The method of claim 7, wherein said processing the capturedimage for extracting the challenge from the captured image andgenerating the answer code includes: decoding the first string ofalphanumeric characters to obtain the substantially random sequence ofbits; encrypting the substantially random sequence of bits with saidsecret information to obtain a further encrypted substantially randomsequence of bits, or calculating a hash of the substantially randomsequence of bits with said secret information; and encoding the furtherencrypted substantially random sequence of bits or the hash of thesubstantially sequence random of bits to obtain the second string ofalphanumeric characters, said second string of alphanumeric charactersconstituting the answer code.
 9. The method of claim 3, wherein saidgenerating the challenge comprises encrypting the substantially randomsequence of bits with said secret information.
 10. The method of claim9, wherein said generating the challenge comprises encoding theencrypted substantially random sequence of bits into a first string ofalphanumeric characters, and encoding the first string of alphanumericcharacters to obtain the image displayable by the display device. 11.The method of claim 10, wherein said generating the expected answer codeincludes encoding the substantially random sequence of bits into asecond string of alphanumeric characters and storing the obtained secondstring.
 12. The method of claim 11, wherein said processing the capturedimage for extracting the challenge from the captured image andgenerating the answer code includes: decoding the first string ofalphanumeric characters to obtain the encrypted substantially randomsequence of bits; decrypting the encrypted substantially random sequenceof bits with said secret information to obtain the substantially randomsequence of bits; and encoding the substantially random sequence of bitsto obtain the second string of alphanumeric characters, said secondstring of alphanumeric characters constituting the answer code.
 13. Themethod of claim 1, wherein said encoding the generated challenge toobtain the image comprises generating a bidimensional barcode.
 14. Themethod of claim 1, wherein said authenticating the user includesenabling the user to access, through a user data processing terminalconnected to a data network, a service made available by a serverconnected to said network.
 15. The method of claim 1, wherein saidencoding the generated challenge to obtain the image comprises includingsummary information in the image, the summary information adapted toidentify a transaction performed by the user.
 16. The method of claim 1,wherein said sending the image containing the challenge to the usercomprises including the image in an electronic mail message, and sendingthe electronic mail message to the user.
 17. The method of claim 16,wherein said authenticating the user includes allowing the user todisplay an electronic document attached to the electronic mail message.18. A system for the authentication of users in a data processingsystem, the authentication system comprising: a) an authenticationserver, said authentication server adapted to: generate a challengeunivocally associated with a user to be authenticated; process thechallenge to generate an expected answer code, to be compared to ananswer code that the user provides for authentication; encode thegenerated challenge to obtain an image; send the image containing thechallenge to a data processing terminal of the user through a datanetwork; wherein the user data processing terminal comprises a displaydevice adapted to display the image containing the challenge; b) a userdevice provided with an image-capturing device adapted to capture animage of the displayed image containing the challenge, the user deviceadapted to process the captured image for extracting the challenge fromthe captured image and to process the challenge to generate an answercode to be compared to the expected answer code for authenticating theuser, wherein one among said actions of generating the challenge andgenerating the expected answer code, and said action of processing thecaptured image to generate the answer code exploits secret informationunivocally associated with the user.
 19. A non-transitorycomputer-readable media storing computer-readable instructions that,when executed by a computing device, cause the computing device to:capture an image of an image displayed on a display device, wherein thedisplayed image is an encoded challenge univocally associated with auser to be authenticated, wherein the encoded challenge has acorresponding expected answer code used for authentication; process thecaptured image for extracting the challenge from the captured image;process the extracted challenge to generate an answer code; and displaythe answer code on a display unit of the computing device, wherein theanswer code is to be compared to the expected answer code forauthenticating the user.